Close
Enter your
text here

Evidence

Version 1 of the EDRM Enron Data Set NOW AVAILABLE – eDiscovery Trends

Last week, we reported from the Annual Meeting for the Electronic Discovery Reference Model (EDRM) group and discussed some significant efforts and accomplishments by each of the project teams within EDRM.  That included an update from the EDRM Data Set project, where an effort was underway to identify and remove personally-identifiable information (“PII”) data from the EDRM Data Set.  Now, version 1 of the Data Set is completed and available for download.

To recap, the EDRM Enron Data Set, sourced from the FERC Enron Investigation release made available by Lockheed Martin Corporation, has been a valuable resource for eDiscovery software demonstration and testing (we covered it here back in January 2011).  Initially, the data was made available for download on the EDRM site, then subsequently moved to Amazon Web Services (AWS).  However, after much recent discussion about PII data (including social security numbers, credit card numbers, dates of birth, home addresses and phone numbers) available within FERC (and consequently the EDRM Data Set), the EDRM Data Set was taken down from the AWS site.

Yesterday, EDRM, along with Nuix, announced that they have republished version 1 of the EDRM Enron PST Data Set (which contains over 1.3 million items) after cleansing it of private, health and personal financial information. Nuix and EDRM have also published the methodology Nuix’s staff used to identify and remove more than 10,000 high-risk items.

As noted in the announcement, Nuix consultants Matthew Westwood-Hill and Ady Cassidy used a series of investigative workflows to identify the items, which included:

  • 60 items containing credit card numbers, including departmental contact lists that each contained hundreds of individual credit cards;
  • 572 items containing Social Security or other national identity numbers—thousands of individuals’ identity numbers in total;
  • 292 items containing individuals’ dates of birth;
  • 532 items containing information of a highly personal nature such as medical or legal matters.

While the personal data was (and still is) available via FERC long before the EDRM version was created, completion of this process will mean that many in the eDiscovery industry that rely on this highly useful data set for testing and software demonstration can now use a version which should be free from sensitive personal information!

For more information regarding the announcement, click here. The republished version 1 of the Data Set, as well as the white paper discussing the methodology is available at nuix.com/enron.  Nuix is currently applying the same methodology to the EDRM Enron Data Set v2 (which contains nearly 2.3 million items) and will publish to the same site when complete.

So, what do you think?  Have you used the EDRM Enron Data Set?  If so, do you plan to download the new version?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Plaintiff Granted Access to Defendant’s Database – eDiscovery Case Law

Last week in the EDRM Annual Meeting, one of our group discussion sessions was centered on production and presentation of native files – a topic which has led to the creation of a new EDRM project to address standards for working with native files in these areas.  This case provides an example of a unique form of native production.

In Advanced Tactical Ordnance Systems, LLC v. Real Action Paintball, Inc., No. 1:12-CV-296 (N.D. Ind. Feb. 25, 2013), Indiana Magistrate Judge Roger B. Cosbey took the unusual step of allowing the plaintiff direct access to a defendant company’s database under Federal Rule of Civil Procedure 34 because the plaintiff made a specific showing that the information in the database was highly relevant to the plaintiff’s claims, the benefit of producing it substantially outweighed the burden of producing it, and there was no prejudice to the defendant.

In this case involving numerous claims, including trademark infringement and fraud, Advanced Tactical Ordnance Systems LLC (“ATO”) sought expedited discovery after it obtained a temporary restraining order against the defendants. One of its document requests sought the production of defendant Real Action Paintball’s OS Commerce database to search for responsive evidence. Real Action objected, claiming that the request asked for confidential and sensitive information from its “most important asset” that would give the plaintiff a competitive advantage and that the request amounted to “‘an obvious fishing expedition.”

To decide the issue, Judge Cosbey looked to Federal Rule of Civil Procedure 34(a)(1)(A), which allows parties to ask to “inspect, copy, test, or sample . . . any designated documents or electronically stored information . . . stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form.” The advisory committee notes to this rule explain that the testing and sampling does not “create a routine right of direct access to a party’s electronic information system, although such access might be justified in some circumstances.” Judge Cosbey also considered whether the discovery request was proportionate under Federal Rule of Civil Procedure 26(b)(2)(C)(iii), comparing the “burden or expense” of the request against its “likely benefit, considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake in the action, and the importance of the discovery in resolving the issues.”

Based on its analysis, Judge Cosbey permitted ATO’s request. The benefits of allowing the plaintiff to access the defendant’s OS Commerce database outweighed the burden of producing data from it, especially because the parties had entered a protective order. The information was particularly important to the plaintiff’s argument that the defendant was using hidden metatags referencing ATO’s product to improve its results in search engines, thereby stealing the plaintiff’s customers.

Despite the defendant company’s claims that the information the database contained was proprietary and potentially harmful to the business’s competitive advantage, the court found the company failed to establish how the information in the database constituted a trade secret or how its disclosure could harm the company, especially where much of the information had already been produced or was readily available on the company’s website. Moreover, the company could limit the accessibility of the database to “‘Attorneys’ Eyes Only.’”

So, what do you think?  Was it appropriate to grant the plaintiff direct access to the defendant’s database?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case Summary Source: Applied Discovery (free subscription required).  For eDiscovery news and best practices, check out the Applied Discovery Blog here.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

How to Create an Image Using FTK Imager – eDiscovery Best Practices

A few days ago, we talked about the benefits and capabilities of Forensic Toolkit (FTK), which is a computer forensics software application provided by AccessData, as well as how to download your own free copy.  Now, let’s discuss how to create a disk image.

Before we begin, it’s important to note that best practices when creating a disk image includes the use of a write blocker.  Write blockers are devices that allow data to be acquired from a drive without creating the possibility of accidentally damaging the drive contents. They allow read commands to pass but block write commands, protecting the drive contents from being changed.  Tableau and FireFly are two examples of write blockers.

It’s also important to note that while we’re showing you how to “try this at home”, use of a certified forensic collection specialist is recommended when collecting data forensically that could require expert testimony on the collection process.

Create an Image Using FTK Imager

I’m going to create an image of one of my flash drives to illustrate the process.  To create an image, select Create Disk Image from the File menu.

Source Evidence Type: To image an entire device, select Physical Drive (a physical device can contain more than one Logical Drive).  You can also create an image of an Image File, which seems silly, but it could be desirable if, say, you want to create a more compressed version of the image.  You can also image the specific Contents of a Folder or of a Femico Device (which is ideal for creating images of multiple CDs or DVDs with the same parameters).  In this example, we’ll select Physical Drive to create an image of the flash drive.

Source Drive Selection: Based on our selection of physical drive, we then have a choice of the current physical drives we can see, so we select the drive corresponding to the flash drive.

Create Image: Here is where you can specify where the image will be created.  We also always choose Verify images after they are created as a way to run a hash value check on the image file.  You can also Create directory listings of all files in the image after they are created, but be prepared that this will be a huge listing for a typical hard drive with hundreds of thousands of entries.

Select Image Type: This indicates the type of image file that will be created – Raw is a bit-by-bit uncompressed copy of the original, while the other three alternatives are designed for use with a specific forensics program.  We typically use Raw or E01, which is an EnCase forensic image file format.  In this example, we’re using Raw.

Evidence Item Information: This is where you can enter key information about the evidence item you are about to create to aid in documenting the item.  This information will be saved as part of the image summary information once the image is complete.

Select Image Destination: We’ll browse to a folder that I’ve created called “FTKImage” on the C: drive and give the image a file name.  Image Fragment Size indicates the size of each fragment when you want to break a larger image file into multiple parts.  Compression indicates the level of compression of the image file, from 0 (no compression) to 9 (maximum compression – and a slower image creation process).  For Raw uncompressed images, compression is always 0.  Use AD Encryption indicates whether to encrypt the image – we don’t typically select that, instead choosing to put an image on an encrypted drive (when encryption is desired).  Click Finish to begin the image process and a dialog will be displayed throughout the image creation process.  Because it is a bit-by-bit image of the device, it will take the same amount of time regardless of how many files are currently stored on the device.

Drive/Image Verify Results: When the image is complete, this popup window will appear to show the name of the image file, the sector count, computed (before image creation) and reported (after image creation) MD5 and SHA1 hash values with a confirmation that they match and a list of bad sectors (if any).  The hash verification is a key check to ensure a valid image and the hash values should be the same regardless which image type you create.

Image Summary: When the image is complete, click the Image Summary button to see the view a summary of the image that is created, including the evidence item information you entered, drive information, hash verification information, etc.  This information is also saved as a text file.

Directory Listing: If you selected Create directory listings of all files in the image, the results will be stored in a CSV file, which can be opened with Excel.

And, there you have it – a bit-by-bit image of the device!  You’ve just captured everything on the device, including deleted files and slack space data.  Next time, we’ll discuss Adding an Evidence Item to look at contents or drives or images (including the image we created here).

For more information, go to the Help menu to access the User Guide in PDF format.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Image is Everything, But it Doesn’t Have to Cost Anything – eDiscovery Best Practices

Do you remember this commercial?  Can you believe it’s 23 years old?

Let’s recap.  So far, in our discussion of free utilities for collection of data for eDiscovery, we’ve discussed the pitfalls of using drag and drop, the benefits of Robocopy (illustrating with the same example copy) and the benefits (and pitfalls) of Richcopy for targeted collection.  But, are there any free tools that will enable you to perform a bit-by-bit forensic image copy that includes deleted files and slack space data?  Yes, there is.

Forensic Toolkit (FTK) is a computer forensics software application provided by AccessData.  The toolkit includes a standalone disk imaging program called FTK Imager.  FTK Imager is a free tool that saves an image of a hard disk in one file or in segments that may be reconstructed later. It calculates MD5 or SHA-1 hash values of the original and the copy, confirming the integrity of the data before closing the files.

With FTK Imager, you can:

  • Create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire folders, or individual files from various places within the media.
  • Preview files and folders on local hard drives, network drives, floppy diskettes, Zip disks, CDs, and DVDs – including files located in container files such as ZIP or RAR files.
  • Preview the contents of forensic images stored on the local machine or on a network drive.
  • Mount an image for a read-only view that leverages Windows Explorer to see the content of the image exactly as the user saw it on the original drive.
  • Export files and folders from forensic images.
  • See and recover files that have been deleted from the Recycle Bin, but have not yet been overwritten on the drive.
  • Create MD5 or SHA-1 hashes of files and generate hash reports for regular files and disk images (including files inside disk images) that you can later use as a benchmark to prove the integrity of your case evidence. When a full drive is imaged, a hash generated by FTK Imager can be used to verify that the image hash and the drive hash match after the image is created, and that the image has remained unchanged since acquisition.

Like all forensically-sound collection tools, it retains the file system metadata (and the file path) and creates a log of the files copied.  You can also provide Case Number, Evidence Number, Unique Description, Examiner, and any Notes for tracking purposes to aid in chain of custody tracking.

To download FTK Imager, you can go to the AccessData Product Downloads page here.  Look for the link for FTK Imager in “Current Releases” (it’s currently the seventh item on the list) and open the folder and select the current version of FTK Imager (currently v3.1.2, released on 12/13/12).

Next week, we will begin to discuss how to use FTK Imager to preview files, create forensic images, recover deleted files and use hash values to validate your image.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

You Don’t Have to Be Rich to Use Richcopy – eDiscovery Best Practices

A couple of weeks ago, we discussed the pitfalls of using drag and drop for collecting files for eDiscovery and illustrated an example using a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.  If you followed the steps along with one of your own files, you noticed that the resulting file appeared to have been modified before it was created, which reflects spoliation of the metadata during the copy process.

Last week, we discussed the benefits of Robocopy, how to access it via the command line prompt (if you have Windows Vista or later) and how to get it (if you don’t).  Then, we performed an example copy (using an Excel script I use to create the copy) and took a look at the results to show how the date metadata was preserved during the copy.  If you’d still like a copy of the Excel Robocopy script, feel free to request it by emailing me at daustin@cloudnincloudnine.comm.

If you want to be able to perform a forensically sound targeted collection, but would prefer a GUI based tool for performing the copy (instead of a command-line tool like Robocopy), then perhaps you should consider Richcopy.  RichCopy is a free computer utility program developed by Ken Tamaru of Microsoft to copy file directories.  It has some advantages, but also some pitfalls, to consider as a targeted copy and collection tool.

One of the benefits of Richcopy (in addition to the GUI interface) is that it copies several files simultaneously (“multi-threaded”), which can drastically reduce the time required for multi-gigabyte file copy operations (earlier versions of Robocopy didn’t support multi-threaded copying, but the current one does, with the /MT[:n] command).

Unfortunately, Richcopy has not been updated in nearly four years by the developer, so you may run into issues (for example, it apparently doesn’t handle file names longer than 255 characters) and, as a free utility, it’s not supported by Microsoft.  Also, Help doesn’t open up throughout much of the application, so getting additional information from the help file is not always easy.  Consider yourself warned.

You can download a copy of Richcopy from the link in this TechNet magazine article.  I did so, and performed the same copy of the Word document for the post Five Common Myths About Predictive Coding that I performed in the other cases.  Let’s see how Richcopy handled that file copy.

You’ll see below that the main form of Richcopy provides the ability to select the source and destination paths, and specify options (as indicated by the red box).  Once you have the parameters set, click the green “Go” button (as indicated by the red circle) to perform the copy.  Progress and logging information will appear in the two status windows below.

The Options button opens a dialog for specifying a variety of options, including copy parameters, thread counts, file attributes and error handling, files to be included and/or excluded (by name, extension or attributes, such as excluding system files) and logging.  As you’ll see below, I set the “files to be included” option to copy the example file I’ve been using in the other tests.

The result?  I did get a copy of the selected file which contained preserved file metadata (i.e., the Created date and the Accessed date reflect the original date and time when the file was created and last accessed).  However, it also copied empty folder for all of the folders underneath the source folder.  I couldn’t figure out how to turn it off and the aforementioned Help file issues didn’t enable me to identify a workaround.

If you absolutely require a GUI interface for free targeted file collection, Richcopy may be a better alternative than Robocopy, but not necessarily the best alternative.  Next week, we’ll begin discussing another free GUI alternative that not only supports targeted collection of files, but also supports bit-by-bit imaging to capture deleted files and slack space data!

So, what do you think?  Have you used Richcopy as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Performing an Example Copy with Robocopy – eDiscovery Best Practices

Yesterday, we discussed the benefits of Robocopy, how to access it via the command line prompt (if you have Windows Vista or later) and how to get it (if you don’t).  Today, we’re going to perform an example copy and take a look at the results.

As you’ll recall, we discussed the pitfalls last week of using drag and drop for collecting files for eDiscovery and illustrated an example using a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.  If you followed the steps along with one of your own files, you noticed that the resulting file appeared to have been modified before it was created, which reflects spoliation of the metadata during the copy process.  Let’s see how Robocopy handles that file copy.

I mentioned yesterday that Robocopy is a command line tool.  If you’re really good at typing long commands at the command prompt without making a mistake, you can enter cmd in the ‘Search programs and files’ box from the Windows Start menu (‘Start’, then ‘Run’, for older versions on Windows) and that will open up a window with the command prompt.  Feel free to “have at it”.

I actually use Excel as a Robocopy script builder – courtesy of CloudNine Discovery’s Vice President of Computer Forensics, Michael Heslop (thanks, Mikey!).  The Excel workbook that I’m using takes user entered information regarding the custodian’s files to be copied and uses that to build a Robocopy statement that can then be executed at the command prompt.  I have three script examples in the Excel file: 1) Script to copy all files/folders in a folder path, 2) Script to copy specific file extensions in a folder path, and 3) Script to copy one file in a folder path.  It’s the third script example I’ll use here.

You’ll see below that I’ve highlighted the changes I’ve made to the single file copy script in the Excel spreadsheet, specifying the file name that I want to copy, the name of the custodian, the destination drive (in this case, the “E:” drive which references a connected external drive) and the path to be copied.

The resulting Robocopy statement created is as follows:

robocopy “C:Usersdaustin” “E:Austin, DougCUsersdaustin” “Common Myths About Predictive Coding–eDiscovery Best Practices.docx” /S /ZB /XJ /V /TEE /W:0 /R:0 /LOG+:”E:RobcopyLog-Austin,Doug.log”

This statement (that Michael created) takes the prompt information I’ve provided and uses it to build the Robocopy statement with desired copy and logging options.  To see a list of available options for Robocopy, type robocopy /? at the command prompt.

I take the Robocopy statement and copy it, pasting it into an empty file in Notepad or Wordpad, then save it with a file name that contains a “.bat” extension (e.g., robocop1.bat, saved to my desktop).  Then, simply double-click the file and it will open up a command window on the desktop and execute the statement.

Doing so put a copy of the file in the E:Austin, DougCUsersdaustinDocuments folder.  It also created a log file at the root which documents every folder it checked and the one folder in which it found the file.  Look at the properties of the copied file and you’ll see:

The Created date and the Accessed date reflect the original date and time when the file was created and last accessed.  That’s what we want!

You can request a copy of my Excel Robocopy script builder by sending an email to me at daustin@cloudnincloudnine.comm and I’ll be happy to send it to you.   It’s rudimentary, but it works!

So, what do you think?  Have you used Robocopy as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Want to Save Your Metadata in Collection? Robocop(y) to the Rescue! – eDiscovery Best Practices

I may be showing my age, but I love the original movie RoboCop (1987).  Good movie for its time (the original, not the sequels).  But, I digress…

Last week, we discussed the pitfalls of using drag and drop for collecting files for eDiscovery and illustrated an example using a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.  If you followed the steps along with one of your own files, you noticed that the resulting file appeared to have been modified before it was created, which reflects spoliation of the metadata during the copy process.

I mentioned that there are better, more forensically sound, free methods for collecting data.  One such method is Robocopy.  Robocopy is short for “Robust File Copy”.  So, technically, it has nothing to do with RoboCop, unless you consider that it protects your file metadata during the copy and saves you from spoliation of data.  Here are some key benefits:

  • Saves Metadata: Preserves file system date/time stamps which, as we illustrated last week, drag and drop does not preserve;
  • Targeted Collections: Suitable for targeted active file collections, primarily based on copying folders and their contents (files and sub-folders), not for deleted files or data from unallocated space;
  • Reliable: Enables the user to resume copying where it left off in the event of network/system interruptions;
  • Complete: Supports mirroring of the source folder so that the entire contents can be copied, including empty folders;
  • Self-Documenting: Provides an option to log the copy process for self-documentation, useful for chain of custody tracking.

If you have Windows Vista (or a later version of Windows, such as Windows 7 or Windows 8), you already have the command line version of Robocopy.  Robocopy provides numerous options for copying, including how files are copied, which files are selected, options for retrying files that fail to copy and options to log the copy process.  To see all syntax options for Robocopy (and there are many), type robocopy /? at the command prompt.

If you have an earlier version of Windows (like XP), Robocopy is not automatically included with your version of Windows.  To install it you have two options: 1. Download the robocopy.exe from the Windows 2003 resource kit, or 2. Install a GUI version which includes the exe.

If you prefer a GUI interface for later versions of Windows, you can try Richcopy (which we will discuss next week).

Not excited about using a command line tool?  Tomorrow, we will walk through a Robocopy exercise with the same file I copied last week and I will discuss how you can build a Robocopy “script” in Excel (or use one that I already have) to make the copying and collection process easier.

So, what do you think?  Have you used Robocopy as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright ©Metro-Goldwyn-Mayer Studios Inc.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Pop Quiz: Is it Possible for a File to be Modified Before it is Created? – eDiscovery Best Practices

Sounds like a trick question, doesn’t it?  The answer is yes.  And, collecting files in a forensically unsound manner can be a drag…and drop.

You know those TV shows where they say “Don’t try this at home?”  Here is an exercise you can try at home.  Follow these steps:

Open Windows Explorer and go to one of your commonly used folders – for example, your Documents folder.  Select one of the documents by clicking on it.  Then, hold down the Ctrl key on your keyboard and drag that file to another folder (preferably another of your commonly used folders).  You’ve just created a copy of that file.  BTW, be sure you hold down the Ctrl key when dragging; otherwise, you will move the file to the new folder instead of copying it.

Go to the folder containing the new copy of the file in Windows Explorer and right-click on the file, then select Properties from the pop-up menu.  You will then see a Properties window similar to the one in the graphic at the top of this blog post.  In my example, I used a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.

Notice anything unusual?  The Created date and the Accessed date reflect the date and time that you performed a “drag and drop” of the file to create a copy of it in a new location.  The Modified date still reflects the date the original file was last modified – in my example above, the modified date is the date and time when I last edited that document in Word.  The file appears to have been modified one month before it was created.*

If this were an eDiscovery collection scenario and you used “drag and drop” to collect a file like this, then…congratulations! – you’ve just spoliated metadata during the collection process.  This is one reason why “drag and drop” is not a recommended approach for collecting data for eDiscovery purposes.

There are better, more forensically sound, free methods for collecting data, even if your goal is simply to perform a targeted collection of active files from within a folder.  If you wish to also collect deleted files and data from drive “slack space”, there are free methods for performing that collection as well.  Next week, we will begin discussing some of those methods.

So, what do you think?  Have you used “drag and drop” as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

* – Microsoft Office files do keep their own internal metadata date fields, so the date created would still be preserved within that field.  Other file types do not, so the “drag and drop” method would eliminate the date created completely for the new copies of those files.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Stored Communications Act Limits Production of Google Emails – eDiscovery Case Law

In Optiver Australia Pty. Ltd. & Anor. v. Tibra Trading Pty. Ltd. & Ors. (N.D.Cal., January 23, 2013), California Magistrate Judge Paul S. Grewal granted much of the defendant’s motion to quash subpoena of Google for electronic communications sent or received by certain Gmail accounts allegedly used by employees of the defendant because most of the request violated the terms of the Stored Communications Act.

The plaintiff alleged that several of its former employees copied the plaintiff’s proprietary source code, left the plaintiff company, and used the code to found the defendant in 2006.  After receiving a production from the defendant, the plaintiff “suspected that key emails relating to the allegedly stolen code were previously deleted”; as a result, the Federal Court of Australia ordered further discovery.  The defendant filed an ex parte application for judicial assistance pursuant to 28 U.S.C. § 1782 to serve a subpoena upon Google for documents to be used in the foreign proceeding, which was granted.

The plaintiff submitted two requests to Google, as follows:

  • “Request One: Documents sufficient to identify the recipient(s), sender, subject, date sent, date received, date read, and date deleted of emails, email attachments, or Google Talk messages that contain either of the terms ‘PGP’ or ‘Optiver’ (case insensitive) sent or received between January 1, 2006 and December 31, 2007” for selected email addresses; and
  • “Request Two: Documents sufficient to show the recipient(s), sender, subject, date sent, date received, date read, and date deleted of emails, email attachments, or Google Talk messages sent or received between November 3, 2005 to December 31, 2009 that were sent to or from” selected email addresses.

The defendant moved to quash the subpoena.

Judge Grewal noted that “it is well-established that civil subpoenas, including those issued pursuant to 28 U.S.C. § 1782, are subject to the prohibitions of the Stored Communications Act (‘SCA)”, which was passed in 1986.  The SCA prohibits service providers from knowingly disclosing the contents of a user’s electronic communications.

Judge Grewal ruled that the plaintiff’s “Request One is invalid because it seeks disclosure of the terms ‘Optiver’ and ‘PGP’” and granted the defendant’s motion to quash that request.  As for Request Two, Judge Grewal ruled that it “violates the SCA insofar as it seeks the subject of the communications, but the remainder is permissible.”  Therefore, he ruled that Google was required to provide only the following: “Documents sufficient to show the recipient(s), sender, date sent, date received, date read, and date deleted of emails, email attachments, or Google Talk messages sent or received between November 3, 2005 to December 31, 2009 that were sent to or from the email addresses listed”.

So, what do you think?  Was the correct information excluded due to the SCA?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

“Rap Weasel” Forced to Honor $1 Million Reward Offered via YouTube – eDiscovery Case Law

It isn’t every day that eDiscoveryDaily has reason to reference The Hollywood Reporter in a story about eDiscovery case law, but even celebrities have eDiscovery preservation obligations during litigation.  In Augstein v. Leslie, 11 Civ. 7512 (HB) (SDNY Oct. 17, 2012), New York District Judge Harold Baer imposed an adverse inference sanction against hip hop and R&B artist Ryan Leslie for “negligent destruction” of a hard drive returned to him by the plaintiff after a $1 million reward was offered via YouTube.  On November 28, a jury ordered him to pay the $1 million reward to the plaintiff.

Reward Offered, then Refused

While Leslie was on tour in Germany in 2010, a laptop and external hard drive (that contained some of Leslie’s songs not yet released) were stolen.  Capitalizing on his popularity on social media, Leslie initially offered $20,000 for return of the items, then, on November 6, 2010, a video on YouTube was posted increasing the reward to $1 million.  The increase of the reward was also publicized on Leslie’s Facebook and Twitter accounts.  After Augstein, a German auto repair shop owner, returned the laptop and hard drive, Leslie refused to pay the reward alleging “the intellectual property for which he valued the laptop was not present on the hard drive when it was returned”.

Plaintiff’s Arguments as to Why Reward was not Warranted

Leslie attempted to make the case that when he used the word “offer,” that he really meant something different. He argued that a reasonable person would have understood mention of a reward not as a unilateral contract, but instead as an “advertisement” – an invitation to negotiate.

Leslie’s other argument was that, regardless whether it was an “offer” or not, Augstein failed to perform because he did not return the intellectual property, only the physical property.  Leslie claimed that he and several staff members tried to access the data on the hard drive but were unable to do so.  Leslie sent the hard drive to the manufacturer, Avastor, which ultimately deleted the information and sent Leslie a replacement drive.  The facts associated with the attempts to recover information from the hard drive and requests by the manufacturer to do the same were in dispute between Leslie, his assistant, and Avastor, who claimed no request for data recovery was made by Leslie or anyone on his team.

Judge’s Responses and Decision

Regarding Leslie’s characterization of the offer as an “advertisement”, Judge Baer disagreed, noting that “Leslie’s videos and other activities together are best characterized as an offer for a reward. Leslie ‘sought to induce performance, unlike an invitation to negotiate [often an advertisement], which seeks a reciprocal promise.’”

Regarding Leslie’s duty to preserve the hard drive, Judge Baer noted: “In this case, Leslie was on notice that the information on the hard drive may be relevant to future litigation and, as a result, had an obligation to preserve that information. Augstein contacted Leslie personally and through his attorney regarding the payment of the reward, and a short time later, the hard drive was sent by Leslie to Avastor….Leslie does not dispute these facts.”  As a result, Judge Baer found that “Leslie and his team were at least negligent in their handling of the hard drive.”

Citing Zubulake among other cases with respect to negligence as sufficient for spoliation, Judge Baer ruled “I therefore impose a sanction of an adverse inference; it shall be assumed that the desired intellectual property was present on the hard drive when Augstein returned it to the police.”  This led to the jury’s decision and award last month, causing the New York Post to characterize Leslie as a “Rap Weasel”, which Leslie himself poked fun at on Instagram.  Only in America!

So, what do you think?  Was the adverse inference sanction warranted?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.